[Bug 701] With 'PermitRootPassword without-password' set, root w/pass can still log in with a using 'keyboard-int/pam'

bugzilla-daemon at mindrot.org bugzilla-daemon at mindrot.org
Mon Sep 22 23:06:27 EST 2003


http://bugzilla.mindrot.org/show_bug.cgi?id=701

           Summary: With 'PermitRootPassword without-password' set, root
                    w/pass can still log in with a  using 'keyboard-int/pam'
           Product: Portable OpenSSH
           Version: 3.7.1p1
          Platform: All
        OS/Version: All
            Status: NEW
          Severity: normal
          Priority: P2
         Component: sshd
        AssignedTo: openssh-bugs at mindrot.org
        ReportedBy: jfh at cise.ufl.edu


When the directive PermitRootLogin is specified as 'without-password', root
can still log in with a password using the 'keyboard-interactive/pam' method 
and possibly others.

The fix is to permit only certain methods to allow root logins, and deny
the rest. The patch I will be providing currently only allows root to login with
the 'publickey' method. Others can be added as necessary, but as methods are
added in the future they will default to not allowing root to login when
PermitRootLogin is set to 'without-password' unless specified in this routine.
(This is different from the patch I sent to the list which allowed root to 
login with all methods except those explicitly denied). 

This may warrant a security announcement as there may be sites with
PermitRootLogin set to 'without-password' who are using PAM for logins
and who are unaware that root can still log in with a password.

Also, the following code in auth-password.c

 #ifndef HAVE_CYGWIN
   if (pw && pw->pw_uid == 0 && options.permit_root_login != PERMIT_YES)
           ok = 0;
 #endif

seems to prevent the auth.c:auth_root_allowed() routine from ever being called,
meaning that the following log line in auth.c doesn't get called:

    logit("ROOT LOGIN REFUSED FROM %.200s", get_remote_ipaddr());

When the code in auth-passwd.c is commented out, auth.c:auth_root_allowed()
gets run properly.



------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.




More information about the openssh-bugs mailing list